On Thu, Sep 18, 2025 at 7:07 AM Molina De La Iglesia, Manuel <[email protected]> wrote:
> Hello, > > We have an integration with two active directories, on these two AD there > are some groups with the same names, therefore, to assign permissions we > are using distinguishedname. > > The AD admin moved to a different OU one of the groups and guacamole was > not able to sync this change. Is it a bug? or should we apply any > configuration or task to force guacamole to re-read the path of the groups? > > Guacamole does not "sync" active directory groups and/or group members. Guacamole reads these groups at the logon time of each user, determining whether that user belongs to any of those groups, and applying the requisite permissions based on that group membership. If you're using the distinguished name for the group name/identifier, then a move of that group to a new OU results in a new DN, which means any permissions you've applied for that group (in the JDBC module, I'm guessing?) would need to be re-applied to the new group name/identifier. This isn't really a bug, as the system is working exactly as intended and designed, but, given your use-case, I can see that it does present a challenge. It's worth noting that similar things would happen if someone renamed the group in AD - either in your setup or in a more "stock" configuration (where CN is used as the identifier, for example) - renaming a group would result in needing to also rename it in the JDBC module (or create a new one to match the new name). -Nick
